pg_insert

Descrierea

pg_insert() inserts the values of assoc_array
into the table specified by table_name.
If options is
specified, pg_convert() is applied
to assoc_array with the specified options.

Parametri

connection

PostgreSQL database connection resource.

table_name

Name of the table into which to insert rows. The table table_name must at least
have as many columns as assoc_array has elements.

assoc_array

An array whose keys are field names in the table table_name,
and whose values are the values of those fields that are to be inserted.

options

Any number of PGSQL_CONV_OPTS,
PGSQL_DML_NO_CONV,
PGSQL_DML_ESCAPE,
PGSQL_DML_EXEC,
PGSQL_DML_ASYNC or
PGSQL_DML_STRING combined. If PGSQL_DML_STRING is part of the
options then query string is returned. When PGSQL_DML_NO_CONV
or PGSQL_DML_ESCAPE is set, it does not call pg_convert() internally.

A se vedea și

User Contributed Notes 9 notes

Returns SQL statement, slight improvement on the code from 'rorezende at hotmail dot com'. This version adds bool values correctly.It also checks to make sure there is actually a value in the array before including it in the sql statement. (ie: null values or empty strings won't be added to the sql statement)

Beware of the following: pg_insert() and pg_update() are adding slashes to all character-like fields they work with. This makes them SQL injection super-safe, but there are unwanted consequences, as follows:

If you have a regular setup with magic_quotes_gcp=On, and you use pg_insert() or pg_update(), you will end up with fields that look as if you used addslashes() twice. To solve this, you can use stripslashes() on the data just before using it with pg_insert() or pg_update().

There's another alternative, which seems better to me. Why make yourself crazy all over the code, adding slashes, stripping slashes, worrying whether magic_quotes_gpc is on or off and so on and so forth? Why do this, when the only place you actually need those slashes is right when you push the data into the database?

So why not get rid of your addslashes() and stripslashes() from all over your code, and turn magic_quotes_gcp off. As long as you always use pg_insert() and pg_update() to do your DB work, you're SQL-injection safe AND slash-headache free.

Next version :) My version checks whether value is bool, null, string or numeric and if one of the values is not function returns false if not. null values are inserted as NULL, bool as true or false and strings are add-shlashed before adding to query string. Note, that this function is not safe. SQL injection is possible with column names if you use $_POST or something similar as a $array.

- I could not get it to work with column names that are SQL reserved words (example: desc, order). I was forced to change the column names in order to use the function. I could not put the column names in quotes, because that caused pg_convert() to fail.

- Function was returning false until I passed the PGSQL_DML_EXEC option.